Data Protection Policy and GDPR 2018
2.Background to this Policy
3.Policy and Guidance
4.Application of the Policy
6. Responsibilities of The Board Management, Staff, and Learners Volunteers
7.Disclosure of information to external organisations/parties.
8.Access to Data
9.Retention of Data
12.CCTV Access and Control
13.Compliance Policy Awareness and Disciplinary Procedures
14.Roles and Responsibilities
15.Status of Policy
- This document sets out Shire Aggregates Bulk Ltd policy on data protection. It provides an overview of data protection requirements and directs you to more detailed guidance as appropriate. Through its day to day operations the Company collects and holds certain types of information about individuals. These include, customers, suppliers, current, past and prospective employees, and others with whom it communicates (referred to in this policy as data subjects). In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments. The Data Protection Act 1998 (DPA) includes safeguards to ensure personal information is dealt with properly regardless of how it is collected, recorded and used, whether on paper, electronic or other medium. Article 2 GDPR 2018. The GDPR 2018 supplements the Data Protection Act
If you have any questions relating to this policy, please contact The DPO (Data Protection Officer) email email@example.com
2. BACKGROUND TO THIS POLICY
2.1 The General Data Protection Regulation 2018 (“GDPR”) establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes with the right of individuals to retain the privacy of their personal details. The legislation is underpinned by a set of eight straightforward principles, which define how data can be legally processed. Data Protection Policy working with the GDPR 2018 (The Data Protection Bill is due to become law in 2018.The Bill will repeal the Data Protection Act 1998 and supplement The GDPR regulations for the UK as they become law on 25th May 2018. Upon receiving royal assent, the Data protection Bill will become the Data Protection Act 2018 and extend the data protection laws which are not covered by the GDPR. It is intended to provide a compressive package to protect personal data The Bill contains important elements to support the GDPR, which will take effect from 25 May 2018 The plan is for the Bill to have completed its parliamentary passage and be ready to take effect in May when these EU laws take effect.
2.2 These eight principles are:
2.2.1 Personal data shall be processed fairly and lawfully
2.2.2 Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes
2.2.3 Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
2.2.4 Personal data shall be accurate and where necessary kept up to date
2.2.5 Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
2.2.6 Personal data shall be processed in accordance with the rights of data subjects under the DPA
2.2.7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of the data.
2.2.8 Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
2.3 The Act defines both personal data and sensitive personal data.
Personal data is any information that can identify a living individual and can include such items as home and work address, personal email address, age, telephone number and Company’s attended, and even photographs and other images.
Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and information relating to legal proceedings and convictions.
Personal data comes under the categories of confidential or restricted information in the Information Classification Standard depending on the volume. Sensitive personal data comes under the category of confidential information only in the Information Classification Standard.
2.4 The DPA sets out a number of obligations with which an organisation that holds or uses personal data must comply to safeguard that personal data. In particular certain conditions specified in the DPA must be satisfied to justify the holding or use of personal data.
Staff who are unsure what conditions apply to personal data they intend to process should seek advice from the Data Protection Officer.
3 POLICY AND GUIDANCE
3.1 The Company regards the lawful and correct treatment of personal data as crucial to the successful delivery of the highest quality of service. The lawful and correct processing of personal information is a key part of building trust and confidence with external and internal customers.
The Company will fully implement all aspects of the Data Protection Act 1998 as amended by GDPR 2018
The Company will ensure all staff and other individuals are fully aware of both their rights and obligations under “the Act”.
The Company will implement adequate and appropriate physical and technical security measures and organisational measures to ensure the security of all information contained in or handled by those systems, including computer systems.
It is not the Company’s policy to transfer individual’s data
The Company is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
3.2 This Policy and the Company Manual to all personal data processed for the Company’s purposes, regardless of where it is held, and in respect of automatically processed data, the ownership of the equipment used.
3.3 Links to relevant Company guidance are set out at the end of this policy.
4. APPLICATION OF THIS POLICY
4.1 Aims of the policy are to fully deliver the Principles as stated in the DPA
Personal data shall be processed fairly and lawfully and, shall not be processed unless specific conditions are met.
Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and where necessary, kept up to date.
Personal data shall not be kept longer than necessary, for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of the data subjects in this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
4.2 The Company holds personal information about individuals such as employees, and others, defined as data subjects in the DPA. Such data must only be processed in accordance with the DPA. This Policy and the Company Manual are written to ensure such compliance. Any breach of this Policy and/or the Company Manual may result in the Company as the Data Controller (and in some cases individuals), being in breach of the DPA and therefore liable in law for the consequences of such breach.
4.3 The Directors are responsible for ensuring that the company complies with the DPA. All participants, staff must ensure they have read and understand this Policy and the Company Manual.
4.4 It is the responsibility of all users of personal data throughout the Company to ensure that personal data is kept securely. Personal data should not be disclosed to any unauthorised third party in any form, either accidentally or otherwise.
4.5 Any breach of or failure to comply with this Policy or the Company Manual, particularly any deliberate release of personal data to an unauthorised third party, may result in disciplinary or other appropriate action.
4.6 The Company will continue to perform periodic audits to ensure compliance with this Policy and the DPA and to ensure that all guidance and support is kept up to date.
4.7 Any unauthorised access to or disclosure of personal data or other data security breaches should be reported to the Data Protection Officer and/or the Information Security Manager as soon as possible.
4.8 The Directors are responsible for ensuring that staff remain informed of their obligations under the Data Protection Regulations, with operational duties of advice and support devolved to the DPO.
5. Practical Implications
Conformance with the Data Protection Act is part of the Company’s duty of confidentiality towards customers, suppliers, subcontractors, staff and other individuals with whom it deals. As general guidance the terms of the Act mean that all the staff have a responsibility to ensure compliance with the Act and this policy and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within the Company have a responsibility to ensure that they process the data in accordance with the eight Principles and the other conditions set down in under GDPR.
In particular they will: –
ensure that information is collected, processed, held, transferred and disposed of appropriately, with care for its quality and security
ensure that the rights of people about whom information is held can be fully exercised under the GDPR, including the right to access information
In addition, the Company will ensure that: –
staff understand their responsibilities with respect to the proper handling of data through the management, supervision, and training there is someone with specific responsibility for data protection in the organisation anybody wanting to make enquiries about handling personal information knows what to do and enquiries are dealt with promptly and courteously the requirements of the GDPR are considered in processes, such as in the development of policy and procedures and the design and the implementation of information systems and the monitoring and evaluation of operational systems and performance
In order to meet the requirements of the principles, the Company will:
observe fully the conditions regarding the fair collection and use of personal data meet its obligations to specify the purposes for which personal data is used collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements ensure the quality of personal data used apply checks to determine the length of time personal data is held. Ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the GDPR take the appropriate technical and organisational security measures to safeguard personal data, ensure that personal data is not transferred abroad without suitable safeguards, ensure that all contracts with third parties are data protection compliant
6.Responsibilities of Directors and Staff
This section of the Policy identifies the Data Protection responsibilities of certain members of the company
The Directors are committed to, and ultimately responsible for, ensuring that the Company establishes and adheres to policies and procedures which are compliant with the law and best practice and will therefore approve all policies relating to data protection in the Company.
Approve Company policies & procedures for handling personal information.
Review developments in good practice and Codes of Practice issued by the Information Commissioner having a bearing on Company activities, updating Company policies and procedures, as appropriate.
Allocate resources to enable the Data Protection Policy to be practically and proactively applied within the Company.
Ensure that the Company’s information strategy is matched to its business needs and that the appropriate links are made between Data Protection, IT Security, Information Security, Records Management and Freedom of Information and that a co-ordinated approach to these issues is adopted and maintained.
An important aspect of security is ensuring the reliability of staff. The Directors can contribute to this in a number of ways. They will: –
Ensure that the Company’s Employment Practices are consistent with the Employment Practices Code of Practice.
Ensure that Data Protection obligations are reflected in the Company’s Disciplinary Procedures and contracts of employment.
Ensure that all staff are aware of the types of personal information that the Company will routinely make public (e.g. name, post, qualifications, telephone or email) and that individuals have the right to object to that disclosure when they consider it may cause them substantial damage or distress.
Ensure that all obligations outlined within the DBS Code of Practice published under section 122 of the Police Act 1997 are adhered to Full details of the DBS Code of Practice can be found at http://www.homeoffice.gov.uk/dbs/
Provide advice to staff and others on the application of the DBS Code of Practice
6.2 DATA PROTECTION OFFICER
The DPO is responsible for maintaining the Company’s Data Protection systems. The DPO will:
Maintain the Company’s Data Protection Notification.
Investigate any potential issues surrounding Data Protection and report findings to the CEO.
Liaise with the Information Commissioner and respond to assessments.
Make recommendations to the CEO regarding Data Protection Policy and good practice.
Provide general guidance and advice and dissemination of information regarding Data Protection.
Deal with subject access requests and co-ordinate responses to complaints.
Co-ordinate and advise on all non-routine requests for disclosure of personal information.
Monitor and report on compliance.
6.3 OFFICE BASED STAFF
Good personal data handling is one aspect of delivering excellent customer service. The key to achieving high standards in handling personal information is recognising that the primary responsibility for complying with legislation and good practice lies with the staff who are responsible for deciding how the personal information is used. Staff in the Company will:
Ensure they are satisfied with the legality of holding and using the information.
Ensure that the use of personal data complies with all appropriate Company policies.
Ensure that the CEO and the staff they receive appropriate Data Protection training.
Refer any non-routine requests for disclosure, requests for subject access and requests to cease processing to the DPO immediately.
6.4 IT SERVICES
All staff and users of personal data have some responsibility for the security of that data. In particular they will: –
Be responsible for advising the Company on the state of technological development with regard to IT Security.
Back up data on the Company’s IT systems.
Implement virus detection and hacking preventative measures.
Under instruction from the Directors or the DPO, place appropriate restrictions on access so that individuals only have access to personal data in which they have a legitimate business interest.
Require the use of passwords and ensure they are changed regularly.
Promote policies for the use of Company IT facilities including email, intranet and internet. Investigate breaches of IT security.
6.5 OTHER STAFF
All staff are likely to have access to some personal information in the course of their duties. They will: –
Respect the privacy and confidentiality rights of all data subjects.
Be careful that personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party. This includes making sure that casual access to data is not possible on screen or otherwise.
Only use personal information for approved purposes and ensure that they comply with any instructions and guidelines about the use of personal data.
Inform the Data Protection Officer of any proposed new uses of personal data.
Keep all personal data secure and not remove it from Company premises without the permission of their line manager.
Comply with all Company policies regarding the use of IT facilities.
Check that the information they provide to the Company in connection with their employment is accurate and up-to-date and inform the Company of changes to or errors in information held.
- Disclosure of information to external organisations/parties.
The Company collects a wide range of personal data relating to staff customers and suppliers for its own purposes, and to meet external obligations including contractual obligations imposed by contractors. This may result in the eventual transfer of personal data to an outside third party, however any such transfers must be permitted under the Act.
Personal data must not be disclosed to unauthorised third parties. Unauthorised third parties includes another individual or organisation, family members, friends, local authorities, government bodies, and the police where the individual has not consented to the transfer unless disclosure is exempted by the 1998 Act, or by other legislation. There is no general legal requirement to disclose information to the police.
However data can sometimes be disclosed without consent, where, for example, it is required for: Safeguarding matters protecting the vital interests of the data subject (i.e. release of medical data in emergency) the prevention or detection of crime
7.1 Transferring information to another third party, with the data subjects consent.
Personal Data can be transferred to another third party if the data subject has given their consent. This must always be in writing.
Consent cannot be inferred from silence, so if the Company requests consent so that personal data can be provided to a third party, and no response is received, the Company must infer that consent is withheld.
7.2 Disclosure of information to a contractor prospective employer
A further issue arises where contractors or prospective employers contact the Company to verify details about a data subject, such as contact details. In most circumstances, data subject would not object to the disclosure of such information, and indeed it would appear to benefit the date subject. However, best practice suggests that the request for information should be accompanied by a statement from the data subject consenting to the disclosure, or at least that the learner should be contacted to confirm their consent.
7.3 Providing information because it is required by law
The Company is frequently required to disclose information in accordance with legislation which it is subject to, e.g. the Company is required to provide information to the Inland Revenue regarding employees’ salaries.
7.4 Data Security during Transit
Every effort should be made to ensure that any data being transferred, regardless of whether electronic or otherwise, remains secure.
Personal data should be sent via a tracked postal service i.e. recorded delivery.
Any electronically stored personal data must be password protected, and where possible encrypted, with the password being sent to the recipient via alternative means. This includes floppy disk, CD, DVD, memory stick, memory cards, laptops, email etc.
The originating member of staff should confirm safe receipt of the information from the recipient and highlight any potential losses to the Data Protection Officer immediately.
8. ACCESS TO DATA
8.1 The DPA gives data subjects a right to access to personal data held about them within a set timescale. Therefore, it is important that the DPO be notified of any request to the Company for access to an individual’s personal data as soon as they are received.
8.2 If you have any questions relating to access to personal data please contact one of the DPO.
8.3 Right of subject access
Staff, customers, suppliers and other users of the Company have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the Company Subject Access Request Form available on request. All formal requests using the Subject Access Request Form are recorded by the DPO to monitor compliance with the Act.
The Company cannot charge for a data request.
The Company aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 28 days. In cases of unavoidable delay, the reason for delay will be explained in writing to the data subject making the request.
8.4 Right to prevent processing likely to cause unwarranted damage or distress
A data subject is entitled to request in writing that the Company does not process personal data where such processing is likely to cause unwarranted damage or distress to him/her
This right does not apply where: –
The data subject has given consent previously to the processing or the processing is necessary for the purposes of fulfilling a contract with the data subject, fulfilling a legal obligation of the Company or for protecting the data subject’s vital interests.
8.5 Right to prevent direct marketing
A data subject is entitled at any time to request in writing that the Company does not process personal data for the purposes of direct marketing.
8.6 Rights in relation to automated decision making
Subject to certain exemptions, a data subject is entitled at any time, in writing, to require that the Company ensures no decision which significantly affects him/her is based solely on the processing of personal data by automatic means. Where a decision which significantly affects the data, subject is based solely on such automatic processing, the Company must notify his/her that the decision was taken on that basis. Any human intervention in an automated process is deemed to show that the decision is not solely automatic. A data subject is entitled to request to be told the logic behind any automated decision making process.
8.7 Rights to compensation
Where a data subject suffers damage or damage and distress as a result of the breach of any of the requirements of the Act, he/she may apply to the Courts for compensation.
Compensation for distress alone can only be claimed where the Company breaches any requirements of the Act when processing his/her personal data in relation to journalistic, artistic or literary purposes.
8.8 Rights to request rectification, blocking, erasure and destruction of inaccurate data
A data subject may apply to the Company requiring the Company to rectify, block, erase or destroy data relating to him/her.
A data subject may request that the Information Commissioner assesses whether it is likely that any processing of personal data has been or is being carried out by the Company in non-compliance with the Act. Depending on the Commissioner’s assessment, Information Notices may be served, or the Commissioner may take enforcement action.
9. RETENTION OF DATA
9.1 Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data. The Company’s retention schedule outlines the length of time various classes of records and other data should be kept. This extends to backups and copies made on removable media.
10. DATA TRANSFER
10.1 If data is being sent outside the European Economic Area by the Company, the Company needs to put in place certain safeguards. Please contact the DPO if for any reason related to the Company, as part of a supplier contracPOt or for your learning, for example, you may need to send personal data outside the EEA.
10.2 Information published on the web must be an export of data outside the EEA. No web-based, or ‘Cloud’ services, should be used for storing or sending sensitive personal data unless this has been agreed with one of the Data Protection Officers.
10.3 Any transfers of personal data outside the EEA and/or extraordinary transfers of data should be signed off by the Company Secretary.
11. CCTV AND ACCESS CONTROL
11.1 In the event that CCTV is installed at the Company premises the CCTV will be used in line with the Company’s Code of Conduct on CCTV.
11.2 Access control systems are used at the Company for the purposes of security, maintenance of IT and building systems and public safety
11.3 Requests for information held within CCTV and access control systems made by police services under the relevant exemptions in the Data Protection Act will be handled by the DPO.
11.4 Requests for information held within CCTV and access control systems made by any other individuals or organisations will be handled by the Company’s Information Governance Team.
12. COMPLIANCE, POLICY AWARENESS AND DISCIPLINARY PROCEDURES
12.1 The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998 and GDPR 2018 and may result in criminal or civil action against the company. Therefore, all users of personal data at the Company’s information systems must adhere to the Data Protection Policy and its supporting policies as well as the Information Security Policy.
12.2 All current staff, customers and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
12.3 Any breach of this policy will be handled in accordance with all relevant Company policies, including the Conditions of Use of IT Facilities at the company and the appropriate disciplinary policies.
13. ROLES AND RESPONSIBILITIES
13.1 All Staff
Staff at all levels within the Company have a responsibility to actively respond to any concerns relating to confidentiality and ensuring that personal information is processed in accordance with the rights of the individual.
13.2 Reporting of Data Protection Incidents
The notification process detailed in the Appendix should be adhered to when Data Protection Incidents are identified.
The Directors have overall responsibility for the implementation and delivery of this Data Protection Policy on behalf of Company
13.4 The Data Protection Officer
The DPO is responsible for facilitating the implementation of the policy and supporting the Company’s staff to understand their responsibilities.
The DPO also has responsibility for ensuring that the Company is fully compliant with the rules for notification including:
that a notification is lodged in its name with the Information Commissioner
that the notification is lodged within the stipulated time
that the notification is concise, correct and maintained
that any changes are notified within the stipulated time- period
14 STATUS OF THIS POLICY
This Policy has been approved by The Directors on 12.06.2018. It is available in the policies and procedures section of the website.
This policy is intended to define the policy and principles adopted by Shire Aggregates Bulk Ltd to govern the processing of personal data as specified in the Data Protection Act 1998. Management and staff must have an awareness of the obligations imposed by the Act and, depending on the nature of the information being stored or processed, take appropriate steps to ensure that the Company complies with the legislation.
Through its day to day operations the Company is required to collect and hold certain types of information about individuals. These include customers, suppliers, current, past and prospective employees, volunteers and others with whom it communicates. In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments. The Data Protection Act includes safeguards to ensure personal information is dealt with properly regardless of how it is collected, recorded and used, whether on paper, electronic or other medium. Supporting documentation:
DPA Disclosure Guidelines
The policy will be amended upon review annually and in accordance with legislative amendments
- 1, Contact Details
- Glossary of Terms
3 Data Protection Policy: Standard Request Form for Access to Data
1.In you have any general enquiries regarding Data Protection please contact:
The Data Protection Officer
Shire Aggregates Bulk Ltd,
Gatherley Road Industrial Estate,
Brompton on Swale, Richmond
North Yorkshire. DL10 7JQ
Telephone 01748 900092
email – firstname.lastname@example.org
Information Commissioner’s Office
Information Commissioner’s Office http://www.ico.gov.uk/
Information Commissioner’s Office Guidance on Cloud Computing http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/~/media/ documents/library/Data_Protection/Practical_application/cloud_computing_guidance _for_organisations.ashx Register of Data Controllers http://www.ico.gov.uk/ESDWebPages/search.asp
2.Glossary of Terms
Data is information which is processed by a computer or manually held which forms part of a relevant filing system. A relevant filing system is a system that is structured either by reference to an individual or by criteria relating to individuals so that specific details relating to an individual may be easily selected from that system. Data can be written information, photographs or information like fingerprints, voice recordings, etc. From 2005 the definition of data under the Freedom of Information Act extends to include unstructured manual data but there are transitional arrangements for Data Protection which allow the existing definition of relevant filing systems to stand for existing systems until 2007.
Personal data is information that relates to a living individual who can be identified from that data and other information in or likely to come into the possession of the Data Controller.
Sensitive Personal Data
Sensitive personal data is personal data of the following specific nature: racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; membership of Trade Unions; physical or mental health or condition; sexual life; commission or alleged commission of any offence; proceeding of any offence committed or alleged, the disposal of such proceedings or the sentence of the court.
Processing is anything done with the data including holding and viewing it. If you have personal data, you should assume you are processing it.
The data subject may be asked to agree implicitly to the disclosure of information about themselves to certain named third parties. In the case of a learner this consent is given when they sign an enrolment form or agree to the terms via an online process. In the case of staff this is implicitly given by signing their employment contract.
Where sensitive personal data is to be disclosed to a third party, explicit consent must be sought from the data subject before the disclosure can take place. This consent is for the named disclosure and cannot be taken as consent for other or further processing of the data in this way. It needs to be collected each time such a disclosure is to be made.
The Data Subject is the individual who is the subject of personal data. This will include staff, learners, volunteers, suppliers of goods, visitors, contractors, etc.
The Data Controller is the legal person or body who determines the purposes for which and the manner in which any personal data are, or are to be, processed. The Company is the Data Controller.
The Data Processor is any person other than an employee of the Data Controller who processes data on behalf of the Company
A Third Party is any person other than the Data Subject, the Data Controller, the Data Processor or other person authorised to process data for the Data Controller.
Disclosure & Barring Service (http://www.homeoffice.gov.uk/dbs)
- Data Protection Policy: Standard Request Form for Access to Dat
Appendix to the Data Protection Policy: Standard Request Form for Access to Data
Shire Aggregates Bulk Ltd
Subject Access Request Form
The Data Protection Act 1998 gives customers, staff suppliers and other users of the Company the right to access personal data relating to themselves that is held by the Company as part of a ‘relevant filing system’ (both in electronic and manual format). Any individual who wishes to access data should apply using this Subject Access Request Form.
The Company needs to be assured of the applicant’s identity before relevant data is released
- ARE YOU THE DATA SUBJECT?
Yes – are you applying for data the Company holds about you? You will need to supply the Company with evidence of your identity (learner/staff ID card if applicable, proof of address, driving licence, birth certificate (or photocopy) etc.) as well as a signed copy of this form. This is to ensure we only release data to those who have a right to see the information.
Now complete Q2, 4 and 5 on downloadable form
No – are you acting on behalf of the Data Subject with their written authority? If so, you will need to enclose an original copy of their permission to disclose. This can be a letter which is signed personally by them giving you authority. We must be able to confirm from our records that this request relates to the Data Subject. You will be the applicant. The Data Subject details must be included at Q3.
Now complete Q 2, 3, 4 and 5 on downloadable form
Please fill in this form and return…DOWNLOAD FORM